|
||||||||||||||||||
|
SAS 70 (Type I & II) Audit ProcessWhat is SAS 70 Type I & II Audit Services?In today’s global industry economic, service organizations or service providers are required to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) for reporting design and operational effectiveness of a service organization's internal controls over processing transactions. SAS No. 70 enables service organizations to disclose their control activities, their effectiveness and processes to their customers and their customers' auditors in a uniform reporting format. SAS 70 Process method for CompliancePerforming a SAS 70 audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion. Depending on a service organization’s needs, a SAS 70 Type II audit is generally performed for any subsequent period following the completion of a Type I. Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance for subsequent years is the most common path many service organizations choose. Type II compliance can be dependant on a variety of circumstances, but primarily it's driven by publicly traded (i.e., SEC registered) companies having to certify on internal controls of service organizations that they are outsourcing material or significant functions to. This is required under section 404 of the Sarbanes-Oxley act, and therefore, a Type II audit is necessary for many service organizations. SAS 70 Type II compliance can be attained by following the most common approach, whereby service organizations become Type I certified, then move towards Type II compliance for subsequent years. However, due to factors such as varying financial statement reporting time periods for publicly traded corporations and a host of other issues, working immediately towards Type II compliance becomes the only option at times. SAS 70 Type I and Type II Roadmap to Compliance encompasses the following:
SAS 70 Type I Audit InformationType I audits include an examination of controls that have been placed in operation and how these very controls achieve the specified control objective for a stated period of time. Generally speaking, costs and completion time for a SAS 70 Type I audit are less than that of a Type II audit. A Type I report is only issued for a particular date. For example, a certified public accounting firm would examine a company’s controls and report on the "controls placed in operation" for a specified point in time, such as July 1, 2009. A fair amount of criticism of SAS 70 Type I audits has centered around it’s limited testing period, which many feel is inadequate to gain a sufficient understanding of a service organization’s control environment. As such, Type II audits are considered the viable choice, and they too have fallen under criticism for various reasons. Type I audits are beneficial in many ways, such as laying the framework and foundation for subsequent Type II audits in future periods, along with giving the service organization an understanding of expectations and time commitments for regulatory compliance auditing. Please note that completing consecutive Type I audits are typically rare, does not suffice for Section 404 of the Sarbanes-Oxley Act of 2002, and ultimately does not provide user organizations with the assurances they are seeking. Performing a SAS 70 Type I audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion. Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance for subsequent years is the most common path many service organizations choose to undertake when considering a SAS 70 roadmap for compliance that has long-term value. SAS 70 Type II Testing Period ConsiderationsType II audits include an examination of controls that have been placed in operation and testing of operating effectiveness. Testing of controls is required for Type II audits, with a minimum testing period of at least six months. Testing is conducted throughout various predetermined timeframes throughout the six-month period, and in a manner that significantly mitigates any type of business interruption. However, other factors, circumstances can lead to a smaller testing period, such as four (4) months, or a longer testing period, such as ten (10) months. Many times, the test period is driven by external auditor requirements, user organization demands, along with service organization financial and operational concerns for undertaking the audit itself. For example, many times a user organization is notified by its external auditors (user auditors) that one of their outsourced providers (service organization) conducts transaction processing activities that affect the user organization's "information system". When this happens, a dialogue amongst all parties will ensue, with the testing period being a paramount topic. It's just one of many scenarios that can decide the testing period of the Type II audit. A Type II report is issued after a generally accepted period has been completed. For example, an accounting firm would examine a company's controls from July 1, 2009 to November 30, 2009 and report on the "controls placed in operations and tests of operating effectiveness" for the six-month test period of the audit. Type II compliance can be attained by following the most common approach, whereby service organizations undergo a Type I audit, then move towards Type II compliance for subsequent years. However, due to factors stated earlier, such as varying financial statement reporting time periods for publicly traded corporations and a host of other issues, working immediately towards Type II compliance becomes the only option at times. SAS 70 Readiness Questionnaire for Audit Readiness ReviewA SAS 70 readiness questionnaire will assist service organizations who are unsure of the necessary steps that must be in place before effectively beginning the audit process for compliance, which is essentially the first step in the readiness assessment phase. By making the entity aware of the tasks involved with preparing and ultimately engaging in this type of audit, precious amount and employee man-hours will be saved, ultimately affecting SAS 70 pricing. Upon examining a service organization’s controls and related activities, the service auditor can then determine if a SAS 70 Type I or Type II audit is to begin, or if additional internal procedures need to be undertaken before analysis and fieldwork begins. Goals for a SAS 70 Readiness Questionnaires and AssessmentA SAS 70 readiness questionnaire simply augments the overall engagement process for the actual audit. It provides for a more streamlined, efficient audit, along with aiding in mitigating any business interruption issues when conducting the engagement itself. It should not be looked upon as an additional cost of the engagement, rather, a useful and proactive tool in successfully completing the audit. A SAS 70 Readiness Questionnaire and the assessment itself can be completed in a number of ways, but this is primarily dependent on the approach used by the SAS 70 auditor. Some firms conduct readiness assessments on site, traditionally ranging from 2 to 5 days, while others have employed document exchange portals for sharing information. Each has its drawbacks, but also their benefits. Regardless of which approach is taken, the service auditor’s goal is gain a comprehensive understanding and working knowledge of the service organization and its underlying control environment. Items that should be discussed include, but are not limited to, the following:
How can DQS help your compliance Efforts?Our Methodology of Assessment is Plan, Audit, Execute and Manage. Contact usPlease feel free to contact us. We are looking forward to hearing from you! Rajendra Khare Please note: Email communication would be preferred mode of communication. See Also:
Disclaimer: Consulting and other specialized assessments services are provided through a separate legal entity in order to have full compliance to the broader principles of conflict of interest & specifically in compliance to ISO 17021 and SEI Conflict of Interest Policy.
|